Vulnerability Details : CVE-2013-2488
The DTLS dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 does not validate the fragment offset before invoking the reassembly state machine, which allows remote attackers to cause a denial of service (application crash) via a large offset value that triggers write access to an invalid memory location.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2013-2488
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.6.10:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.6.9:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.6.11:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.6.12:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.6.13:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:12.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-2488
0.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-2488
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2013-2488
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-2488
-
http://www.wireshark.org/docs/relnotes/wireshark-1.8.6.html
Wireshark · Wireshark 1.8.6 Release NotesVendor Advisory
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16672
Repository / Oval Repository
-
http://www.wireshark.org/security/wnpa-sec-2013-22.html
Wireshark · wnpa-sec-2013-22 · DTLS dissector crashVendor Advisory
-
http://lists.opensuse.org/opensuse-updates/2013-03/msg00065.html
openSUSE-SU-2013:0494-1: moderate: wireshark: update to 1.8.6
-
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8380
Bug Access Denied
-
http://www.debian.org/security/2013/dsa-2644
Debian -- Security Information -- DSA-2644-1 wireshark
-
http://www.wireshark.org/docs/relnotes/wireshark-1.6.14.html
Wireshark · Wireshark 1.6.14 Release NotesVendor Advisory
-
http://anonsvn.wireshark.org/viewvc?view=revision&revision=48011
code.wireshark Code Review - wireshark.git/treeVendor Advisory
-
http://lists.opensuse.org/opensuse-updates/2013-03/msg00077.html
openSUSE-SU-2013:0506-1: moderate: wireshark: update to 1.8.6
Jump to